Require BitLocker drive encryption via Windows 10 MDM

This blog post uses the BitLocker configuration service provider (CSP) to manage drive encryption on Windows 10 devices. This CSP was added in Windows 10, version 1703, which is currently available as Insider Preview build.

This blog post will be about requiring BitLocker drive encryption on Windows 10 devices. Until Windows 10, version 1703, this was not possible. It was only possible to create a compliance policy that would block access to Windows 10 devices without BitLocker enabled. Windows 10, version 1703, introduces the BitLocker CSP, which enables the administrator to manage BitLocker settings via Windows 10 MDM. In this post I’ll briefly go through the available settings in the BitLocker CSP and I’ll show how to require BitLocker drive encryption via Microsoft Intune hybrid and Microsoft Intune standalone. I’ll end this post by showing the end-user experience.

Configuration

I’ll split the configuration in two sections. The first section about the available settings in the BitLocker CSP and the second section about how to configure the BitLocker drive encryption requirement. As the BitLocker CSP is new in Windows 10, version 1703, I thought it would be good to briefly go through the available settings.

Available settings

Let’s start by going through the available settings in the BitLocker CSP. The root node for the BitLocker CSP is ./Device/Vendor/MSFT/BitLocker and it contains the following settings.

Setting Description
RequireStorageCardEncryption This setting allows the administrator to require storage card encryption on the device.
RequireDeviceEncryption This setting allows the administrator to require encryption to be turned on by using BitLocker.
EncryptionMethodByDriveType This setting allows the administrator to configure the algorithm and cipher strength used by BitLocker.
SystemDrivesRequireStartupAuthentication This setting allows the administrator to configure whether additional authentication is required each time the computer starts.
SystemDrivesMinimumPINLength This setting allows the administrator to configure a minimum length for a TPM startup PIN.
SystemDrivesRecoveryMessage This setting allows the administrator to configure the recovery message or replace the existing URL.
SystemDrivesRecoveryOptions This setting allows the administrator to control how operating system drives are recovered.
FixedDrivesRecoveryOptions This setting allows the administrator to control how fixed data drives are recovered.
FixedDrivesRequireEncryption This setting allows the administrator to require BitLocker for fixed data drives to be writable on a computer.
RemovableDrivesRequireEncryption This setting allows the administrator to require BitLocker for a removable drive to be able to write data.

Configure settings

Now that I’ve been through all the available settings in the BitLocker CSP, let’s have closer look at the setting that enables the administrator to require BitLocker drive encryption. That’s the setting RequireDeviceEncryption. However, keep in mind that this still does require an interaction with the end-user. The end-user has to provide information about the currently used drive encryption and the end-user has to start the BitLocker drive encryption process. More about that in the end-user experience section. To require BitLocker drive encryption the following OMA-URI configuration can be used:

  • OMA-URI: ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
  • Date type: Integer
  • Value: 1

This configuration information can be used in Microsoft Intune hybrid and Microsoft Intune standalone, by using the configuration guidelines shown below.

Environment Configuration guidelines
Microsoft Intune hybrid

BitLocker_IntuneHybridThe configuration in Microsoft Intune hybrid can be performed by starting the Create Configuration Item Wizard in the Configuration Manager administration console. Make sure to select Windows 8.1 and Windows 10 (below Settings for devices managed without the Configuration Manager client) on the General page and to select Windows 10 on the Supported Platforms page. Now select Configure additional settings that are not in the default setting groups on the Device Settings page and the configuration can begin by using the earlier mentioned OMA-URI settings.

Once the configurations are finished, the created configuration items can be added to a configuration baseline and can be deployed to Windows 10 devices.

Microsoft Intune standalone (Azure portal)

BitLocker_IntuneStandaloneThe configuration in Microsoft Intune standalone, in the Azure portal, can be performed by creating a Device configuration. Create a new profile, or add a row to an existing custom profile. With a new profile, make sure to select Windows 10 and later as Platform and Custom as Profile type. In the Custom OMA-URI Settings blade, add the custom settings by using the earlier mentioned OMA-URI settings.

Once the configurations are finished, the profile can be saved and can be deployed to Windows 10 devices.

End-user experience

Let’s end this post with the end-user experience. As I mentioned earlier, the end-user must still interact with the messages generated by the configuration to require BitLocker drive encryption. Once the configuration arrives at the Windows 10 device, the end-user will receive a toast message stating that “Encryption is needed”, as shown below on the left. After selecting that notification, the end-user will receive a dialog box with the question “Are you ready to start encryption”, as shown below on the right.

BitLocker_ToastMessage BitLocker_DialogBox

After checking the applicable boxes and clicking Yes, the end-user will get the standard BitLocker Drive Encryption wizard. During that wizard the end-user must specify the location to back up the recovery key, choose the encryption method and the end-user can start the encryption.

More information

For more information about the BitLocker CSP, please refer to this article about the BitLocker CSP.

18 thoughts on “Require BitLocker drive encryption via Windows 10 MDM”

  1. Hi Peter

    Does this only apply to InstantGo devices? I tried deploying to a ThinkPad T460 but received this error: “0x87D10196 : Syncml(406): The requested command failed because an optional feature in the request was not supported.”

    Documentation doesn’t exactly specify which device types are supported, unless I’m over-reading. Thanks!

    Reply
    • Hi Phil,

      I actually don’t know. Like you mentioned, the docs don’t mention anything specific about InstantGo capable devices. That being said, to my knowledge an InstandGo capable device should automatically encrypt during Azure AD join.

      Regards,
      Peter

      Reply
  2. @Phil: This should work for all devices not just instant go that have Bitlocker. Bitlocker is not available on home edition and not available by default on server editions. Was your device one of these?

    @Rene: right now, yes you need to be a local admin for encryption to start and recovery key to be escrowed

    Reply
  3. Old post I know, but can anyone shed any light on the function of the ‘Don’t ask me again’ tick box? Does this allow the user to select No to encryption, and ‘don’t ask me again’ to stop the notification ever coming up again. Seems to defeat the object of an admin controlled configuration setting if that’s the case. Thanks.
    PS: Great blog by the way!

    Reply
  4. Peter,
    Great read — thanks! Wondering if you may be able to shed some more light… Have an Intune endpoint protection policy that’s erroring out on the following BitLocker settings:

    BitLockerFixedDrivesRequireEncryption
    BitLockerSystemDrivesRecoveryOptions
    Warning for other disk encryption
    BitLockerRemovableDrivesRequireEncryption

    Same error details for all 4 — “Syncml(406): The requested command failed because an optional feature in the request was not supported.”

    Target device is a Surface Pro running Win 10 Pro. Any idea what “optional feature” isn’t present? I even tried modifying the policy settings where they would appear to affect those 4 settings but nothing seemed to make much difference.

    Thanks!

    Reply
  5. @Steve – good to know you’re having the same issues as me. Surface Pro LTE’s running Win10 Pro 1803 & 1809. Most of the fleet are showing errors with

    BitLockerSystemDrivesRequireStartupAuthentication
    BitLockerSystemDrivesRecoveryMessage
    BitLockerFixedDrivesRecoveryOptions
    BitLockerSystemDrivesRecoveryOptions

    With the error being: Syncml(406): The requested command failed because an optional feature in the request was not supported.

    Reply
  6. Sorry for the late reply… We’re running Win10 Pro 1803 (10.0.17134.523). Still have the same errors as recently as my Intune checking this afternoon. It would just be nice to be able to know that errors on our Intune dashboard were legitimate errors. Maybe a warning if I’m pushing a policy that a target device doesn’t support. Then again maybe I’m just being high maintenance…

    Steve

    Reply

Leave a Reply to Steve Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.